Bug 4003 - Support authentication using existing kerberos ticket
Summary: Support authentication using existing kerberos ticket
Status: CLOSED FIXED
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Client (show other bugs)
Version: 3.2.0
Hardware: PC Unknown
: P2 Normal
Target Milestone: 4.1.0
Assignee: Aaron Sowry
URL:
Keywords: ossman_tester
Depends on: 3183 4440
Blocks: 4572
  Show dependency treegraph
 
Reported: 2011-09-27 16:04 CEST by Peter Åstrand
Modified: 2020-01-24 09:34 CET (History)
1 user (show)

See Also:
Acceptance Criteria:


Attachments

Comment 3 Aaron Sowry cendio 2012-11-01 14:21:56 CET
See bug #4440 for the pre-study results. Time estimate includes:

1) Patching OpenSSH to dynamically load GSSAPI libraries on supported platforms. This probably involves writing a communication layer to load the appropriate libraries if available, and shuffle requests back and forth. This layer could also be used to handle/translate SSPI requests on Windows.

2) Implementing the SSPI layer for Windows

3) Implementing the new functionality in the GUI

4) Documenting the new feature

5) Testing etc
Comment 4 Aaron Sowry cendio 2012-11-01 14:32:27 CET
Some helpful links:

SSPI/Kerberos Interoperability with GSSAPI:
http://msdn.microsoft.com/en-us/library/ms995352.aspx

Kerberos/GSSAPI Support in OpenSSH
http://www.sxw.org.uk/computing/patches/openssh.html

Differences between Heimdal and MIT Kerberos API
http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/h5l_mit_apidiff.html

Developing with GSSAPI
http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/gssapi.html

Build and installation instructions for the NoMachine OpenSSH Win32 Port
http://www.nomachine.com/ar/view.php?ar_id=AR01J00621
Comment 5 Aaron Sowry cendio 2012-12-06 09:44:14 CET
Step one: get the SSH client building with Kerberos support on all platforms. 

Initial Kerberos commit to build system done in r26286.
Comment 6 Aaron Sowry cendio 2012-12-06 10:46:23 CET
Updated Solaris' sysroot on the build system with kerberos packages in r26287.
Comment 7 Aaron Sowry cendio 2012-12-06 11:05:12 CET
r26288: Make sure the OS X sysroot provides krb5 (it already does)
r26289: Make sure that cendio-build-krb5 is now a dependency of the client
Comment 8 Aaron Sowry cendio 2013-01-21 16:23:07 CET
r26432: Build OpenSSH with kerberos support, and provide a wrapper for loading the GSSAPI libraries dynamically at runtime.
Comment 9 Aaron Sowry cendio 2013-01-22 14:01:22 CET
r26442: Give correct paths for header files on Solaris, make sure that SSH builds with kerberos support on Solaris in the absence of expected (Linux only) libraries

r26443: In the absence of gssapi_generic on Solaris, make sure the correct functions are defined.
Comment 10 Aaron Sowry cendio 2013-01-22 15:08:25 CET
r26445: Use the correct extension when loading Apple's GSSAPI lib (.dylib not .so)
r26446: Use the correct type when declaring GSS_C_NT_HOSTBASED_SERVICE on OS X
Comment 11 Aaron Sowry cendio 2013-01-24 13:46:42 CET
r26452/26453: Initial commit for kerberos support in client GUI. Still need to handle error conditions and logging etc
Comment 12 Aaron Sowry cendio 2013-01-25 16:35:17 CET
We now need to implement some form of error handling. The error handling with regards to kerberos authentication should have 2 main goals:

1) Log with sufficient detail to enable advanced troubleshooting for administrators/support

2) Present simple error messages to the user for common errors/misconfigurations

There are two levels of error message in our implementation; GSSAPI/SSPI errors, and authentication mechanism errors (in our case, this means kerberos). The problem is that we are dealing with potentially 4 different kerberos implementations:

1) MIT Kerberos v5 (Linux, OS X < 10.7)
2) Heimdal Kerberos (OS X 10.7+)
3) Solaris' implementation (Solaris)
4) SSPI (Windows)

For any given error, some platforms provide an error code at GSSAPI level, some at kerberos level. Moreover, the error code returned may differ across platforms and kerberos implementations.

To satisfy goal 1), we should try to log specific error codes whenever possible. GSSAPI error codes are defined in the GSSAPI header files, so we can make use of those. For platform/implementation-specific authentication mechanism error codes, we will need to define the most common ones ourselves.

To satisfy goal 2), we should see if it is possible to associate a cross-platform set of error codes with a particular common scenario. For example, a missing credentials cache gives the following error codes on the following platforms:

Solaris: GSS_S_NO_CRED
Linux/OS X: KRB5_FCC_NOFILE

The next step is therefore to define a set of common error scenarios, and determine the error codes which might indicate these across all platforms.
Comment 13 Aaron Sowry cendio 2013-01-28 10:58:43 CET
Missing credentials cache
-------------------------
Linux:     KRB5_FCC_NOFILE
OS X 10.4: KRB5_FCC_NOFILE
OS X 10.8: KRB5_FCC_NOFILE
Solaris:   GSS_S_NO_CRED


Expired ticket
--------------
Linux:     KRB5KRB_AP_ERR_TKT_EXPIRED
OS X 10.4: KRB5KRB_AP_ERR_TKT_EXPIRED
OS X 10.8: GSS_S_CONTEXT_EXPIRED
Solaris:   KRB5_NO_TKT_IN_RLM


KDC Unresolvable
----------------
Linux:     KRB5_KDC_UNREACH
OS X 10.4: KRB5_TKT_NOT_FORWARDABLE
OS X 10.8: KRB5_KDC_UNREACH
Solaris:   KRB5_TKT_NOT_FORWARDABLE
Comment 14 Aaron Sowry cendio 2013-01-29 15:31:53 CET
r26462: Create a function pointer map for assigning GSSAPI function pointers more efficiently

r26465: Make sure we pass execution back to OpenSSH on error, to allow clean-up and/or try alternative authentication methods
Comment 16 Aaron Sowry cendio 2013-02-20 09:40:34 CET
OpenSSH now compiling for all platforms with kerberos support enabled (although not yet implemented on Windows). TODO:

- Implement SSPI wrapper functions on Windows (win32-sspi)

- For consistency, include win32-sspi.h from openbsd-compat.h instead of ssh-gss.h

- Investigate mktemp symbol conflict warnings on OSX build

- Investigate removing sed strings from ThinLinc client Makefile in favour of a more portable solution during the OpenSSH configure stage

- Possibly check for win32-sspi before defining GSSAPI during configure on the Windows build

- Check that we're not linking against any unnecessary/unsafe libs

- See if there are any fixes or enhancements which might be useful upstream
Comment 17 Aaron Sowry cendio 2013-02-20 10:09:18 CET
(In reply to comment #16)
> - For consistency, include win32-sspi.h from openbsd-compat.h instead of
> ssh-gss.h

r26637
Comment 18 Pierre Ossman cendio 2013-02-21 16:14:20 CET
Patch to get rid of extra libraries in ssh submitted upstream:

https://bugzilla.mindrot.org/show_bug.cgi?id=2072
Comment 19 Pierre Ossman cendio 2013-02-21 16:18:53 CET
Patch for Solaris support also submitted upstream:

https://bugzilla.mindrot.org/show_bug.cgi?id=2073
Comment 20 Pierre Ossman cendio 2013-03-13 14:45:10 CET
Two todos:

 a) The KERBEROS AUTH FAILED message should be removed and a failure should be handled inside LAST AUTHMETHOD (the same way it's done for other authentication methods).

 b) Also in LAST AUTHMETHOD, we need to detect when the server doesn't support GSSAPI.
Comment 21 Aaron Sowry cendio 2013-03-13 15:48:04 CET
gss_import name implemented in 26791.
Comment 22 Aaron Sowry cendio 2013-03-20 08:49:15 CET
Initial commit of gss_init_sec_context done in r26825.

TODO:

- Implement expiry timestamp
- Sanity check of tokens returned from InitializeSecurityContext
- Check flags returned from InitializeSecurityContext
- Make sure that OpenSSH is getting everything it needs back from this function call (ret_flags, time_rec etc)
- Check if we can handle other return codes from InitializeSecurityContext
- See if we can set some kind of sensible minor_code for this function
Comment 23 Aaron Sowry cendio 2013-03-20 09:05:57 CET
Initial commit of gss_delete_sec_context done in r26826
Comment 24 Aaron Sowry cendio 2013-03-22 10:26:39 CET
gss_release_buffer committed in r26836.
gss_get_mic committed in r26838
Comment 25 Aaron Sowry cendio 2013-04-02 14:49:04 CEST
(In reply to comment #20)
> Two todos:
> 
>  a) The KERBEROS AUTH FAILED message should be removed and a failure should be
> handled inside LAST AUTHMETHOD (the same way it's done for other authentication
> methods).
> 
>  b) Also in LAST AUTHMETHOD, we need to detect when the server doesn't support
> GSSAPI.

Done in r26880, r26881, r26887, r26888.
Comment 26 Aaron Sowry cendio 2013-04-03 13:51:39 CEST
gss_release_name committed as r26896 + r26897
gss_release_cred committed as r26898
Comment 27 Aaron Sowry cendio 2013-04-04 13:31:42 CEST
(In reply to comment #16)
> - Check that we're not linking against any unnecessary/unsafe libs

Done.

libnsl in r26908, r26909
libutil in r26910
libcrypt in r26916
Comment 28 Aaron Sowry cendio 2013-04-11 08:47:07 CEST
Initial commit of gss_display_status in r27025
Comment 29 Aaron Sowry cendio 2013-04-11 09:36:57 CEST
(In reply to comment #16)
> OpenSSH now compiling for all platforms with kerberos support enabled (although
> not yet implemented on Windows). TODO:
> 
> - Implement SSPI wrapper functions on Windows (win32-sspi)

Initial versions of all functions required by the SSH client now implemented.

> - Investigate mktemp symbol conflict warnings on OSX build

These are just warnings, and don't seem to affect things.
 
> - Investigate removing sed strings from ThinLinc client Makefile in favour of a
> more portable solution during the OpenSSH configure stage

This is part of a larger project, i.e. separating OpenSSH's linking into client/server/tool portions. Not a priority right now.

> - Possibly check for win32-sspi before defining GSSAPI during configure on the
> Windows build

Not necessary if/when we commit upstream. 

> - See if there are any fixes or enhancements which might be useful upstream

This should be done last.
Comment 31 Aaron Sowry cendio 2013-05-07 09:42:19 CEST
GUI fixed in r27319
Comment 32 Aaron Sowry cendio 2013-05-07 11:30:05 CEST
Documentation added in r27320
Comment 33 Aaron Sowry cendio 2013-05-07 13:04:35 CEST
Kerberos authentication should now be working across all platforms. There are potentially a few minor improvements which can be made (some extra debugging messages etc), but I think the base functionality is sufficient enough that this bug can be closed.
Comment 34 Pierre Ossman cendio 2013-05-08 10:37:29 CEST
The tlclient UI is too small in simple mode. It's going to crop the branding image.
Comment 35 Aaron Sowry cendio 2013-05-08 11:03:59 CEST
(In reply to comment #34)
> The tlclient UI is too small in simple mode. It's going to crop the branding
> image.

r27343
Comment 36 Aaron Sowry cendio 2013-05-08 14:25:12 CEST
(In reply to comment #35)
> (In reply to comment #34)
> > The tlclient UI is too small in simple mode. It's going to crop the branding
> > image.
> 
> r27343

Improved in r27353.
Comment 37 Pierre Ossman cendio 2013-06-04 15:10:35 CEST
The gsswrap modification should be submitted upstream as well.
Comment 38 Pierre Ossman cendio 2013-06-05 10:46:42 CEST
Started with the worst case, a Windows KDC.

1. Set up a Windows 2012 AD DC
2. Joined a Fedora 19 machine (using realmd)
3. Had to set default realm in /etc/krb5.conf for some reason
4. Installed ThinLinc on said Fedora 19
5. Configured sshd to allow kerberos auth
6. Had to fill in .k5login since sssd was using decorated usernames (LKPG\tluser or tluser@lkpg.cendio.se)
7. Configured agent hostname (or ssh would fail to find the proper realm)[1]


Tested with these clients:

- Windows 8, joined to the domain: OK
- Fedora 18, only fetched a ticket: OK
- Fedora 19, fully joined[2][3]: OK
- Solaris, only fetched a ticket: OK
- OS X 10.4, only fetched a ticket: OK
- OS X 10.8, only fetched a ticket: OK

Note 1: you can log in as either LKPG\tluser or tluser@lkpg.cendio.se in these cases
Note 2: SELinux was on att all times during this



[1]: The fact that you have to configure agent_hostname is a bug IMO and we should add a new bugzilla entry for it.
[2]: Had to reboot after join to be able to log in though
[3]: I got this funky principal which I had to add to .k5login: tluser\@LKPG.CENDIO.SE@LKPG.CENDIO.SE
Comment 39 Pierre Ossman cendio 2013-06-05 10:58:52 CEST
Tested an expired ticket on Fedora 18. You need -d 5 to see what's happening:

2013-06-05T10:55:17: ssh[E]: NEXT AUTHMETHOD: gssapi-with-mic
2013-06-05T10:55:17: ssh[E]: debug1: Unspecified GSS failure.  Minor code may provide more information
2013-06-05T10:55:17: ssh[E]: Ticket expired
2013-06-05T10:55:17: ssh[E]: 
2013-06-05T10:55:17: ssh[E]: debug1: Unspecified GSS failure.  Minor code may provide more information
2013-06-05T10:55:17: ssh[E]: Ticket expired
2013-06-05T10:55:17: ssh[E]: 
2013-06-05T10:55:17: ssh[E]: debug1: Unspecified GSS failure.  Minor code may provide more information
2013-06-05T10:55:17: ssh[E]: 
2013-06-05T10:55:17: Last line was repeated 1 time(s).
2013-06-05T10:55:17: ssh[E]: debug1: Unspecified GSS failure.  Minor code may provide more information
2013-06-05T10:55:17: ssh[E]: Matching credential not found
2013-06-05T10:55:17: ssh[E]: 
2013-06-05T10:55:17: ssh[E]: debug1: No more authentication methods to try.
2013-06-05T10:55:17: ssh[E]: LAST AUTHMETHOD: publickey,gssapi-keyex,gssapi-with-mic,password

(there was an expired TGT and an expired session key in the cache)

Best we can do for now. OK.
Comment 40 Pierre Ossman cendio 2013-06-05 14:28:19 CEST
Valid TGT, but unreachable KDC:

2013-06-05T13:23:02: ssh[E]: NEXT AUTHMETHOD: gssapi-with-mic
2013-06-05T13:23:02: ssh[E]: debug1: Unspecified GSS failure.  Minor code may provide more information
2013-06-05T13:23:02: ssh[E]: Cannot contact any KDC for realm 'LKPG.CENDIO.SE'
2013-06-05T13:23:02: ssh[E]: 
2013-06-05T13:23:02: ssh[E]: debug1: Unspecified GSS failure.  Minor code may provide more information
2013-06-05T13:23:02: ssh[E]: Cannot contact any KDC for realm 'LKPG.CENDIO.SE'
2013-06-05T13:23:02: ssh[E]: 
2013-06-05T13:23:05: ssh[E]: debug1: Unspecified GSS failure.  Minor code may provide more information
2013-06-05T13:23:05: ssh[E]: 
2013-06-05T13:23:05: Last line was repeated 1 time(s).
2013-06-05T13:23:05: ssh[E]: AUTH FAILURE

Valid TGT and valid session ticket, but unreachable KDC: Works

Non-forwardable TGT: Works.
Comment 41 Pierre Ossman cendio 2013-06-07 11:32:52 CEST
Get a TGT from KDC #1, then switch to KDC #2:

2013-06-07T11:27:03: ssh[E]: NEXT AUTHMETHOD: gssapi-with-mic
2013-06-07T11:27:03: ssh[E]: debug1: Unspecified GSS failure.  Minor code may provide more information
2013-06-07T11:27:03: ssh[E]: KDC returned error string: PROCESS_TGS
2013-06-07T11:27:03: ssh[E]: 
2013-06-07T11:27:03: ssh[E]: debug1: Unspecified GSS failure.  Minor code may provide more information
2013-06-07T11:27:03: ssh[E]: KDC returned error string: PROCESS_TGS
2013-06-07T11:27:03: ssh[E]: 
2013-06-07T11:27:03: ssh[E]: debug1: Unspecified GSS failure.  Minor code may provide more information
2013-06-07T11:27:03: ssh[E]: 
2013-06-07T11:27:03: Last line was repeated 1 time(s).
2013-06-07T11:27:03: ssh[E]: AUTH FAILURE

Get a TGT from KDC #2, then connect to a server associated with KDC #1:

2013-06-07T11:29:29: ssh[E]: NEXT AUTHMETHOD: gssapi-with-mic
2013-06-07T11:29:29: ssh[E]: AUTH FAILURE
2013-06-07T11:29:29: ssh[E]: debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
2013-06-07T11:29:29: ssh[E]: AUTH FAILURE
2013-06-07T11:29:29: ssh[E]: debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
2013-06-07T11:29:29: ssh[E]: AUTH FAILURE
2013-06-07T11:29:29: ssh[E]: debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
2013-06-07T11:29:29: ssh[E]: AUTH FAILURE
2013-06-07T11:29:29: ssh[E]: debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
2013-06-07T11:29:29: ssh[E]: debug1: No more authentication methods to try.
2013-06-07T11:29:29: ssh[E]: LAST AUTHMETHOD: publickey,gssapi-keyex,gssapi-with-mic,password
Comment 42 Pierre Ossman cendio 2013-06-07 16:05:57 CEST
Works fine with the principal ☭@LKPG.CENDIO.SE (with a Windows KDC no less).

Tested with Fedora 18 and Windows 8.
Comment 43 Pierre Ossman cendio 2013-06-10 14:34:43 CEST
Fedora 19 server with a RHEL 6 KDC:

- Fedora 18: OK
- Solaris: OK
- OS X 10.4: OK
- OS X 10.8: OK
Comment 44 Pierre Ossman cendio 2013-06-10 14:35:31 CEST
Fedora 18 client against Fedora 19 server without GSSAPI:

Correctly tells the user that the server doesn't support Kerberos.
Comment 45 Pierre Ossman cendio 2013-06-10 14:59:14 CEST
Fedora 18 client, Solaris 10 server, RHEL 6 KDC: Works
Comment 46 Aaron Sowry cendio 2013-06-11 19:59:11 CEST
(In reply to comment #37)
> The gsswrap modification should be submitted upstream as well.

https://bugzilla.mindrot.org/show_bug.cgi?id=2121
Comment 47 Pierre Ossman cendio 2013-06-12 11:34:29 CEST
Everything tested and could not find anything that did not work as expected.
Comment 48 Aaron Sowry cendio 2013-06-12 11:42:22 CEST
For reference, see also bug #4681.

Note You need to log in before you can comment on or make changes to this bug.